Amazon Linux 1 Security Advisory: ALAS-2019-1208
Advisory Release Date: 2019-05-16 23:11 Pacific
Advisory Updated Date: 2019-05-20 18:59 Pacific
Severity:
Important
Issue Overview:
2024-04-01: CVE-2019-0232 was removed from this advisory.
When the default servlet in Apache Tomcat returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. (CVE-2018-11784)
The HTTP/2 implementation in Apache Tomcat accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-0199)
Affected Packages:
tomcat8
Issue Correction:
Run yum update tomcat8 to update your system.
New Packages:
noarch:
tomcat8-8.5.40-1.79.amzn1.noarch
tomcat8-docs-webapp-8.5.40-1.79.amzn1.noarch
tomcat8-el-3.0-api-8.5.40-1.79.amzn1.noarch
tomcat8-admin-webapps-8.5.40-1.79.amzn1.noarch
tomcat8-jsp-2.3-api-8.5.40-1.79.amzn1.noarch
tomcat8-log4j-8.5.40-1.79.amzn1.noarch
tomcat8-servlet-3.1-api-8.5.40-1.79.amzn1.noarch
tomcat8-webapps-8.5.40-1.79.amzn1.noarch
tomcat8-lib-8.5.40-1.79.amzn1.noarch
tomcat8-javadoc-8.5.40-1.79.amzn1.noarch
src:
tomcat8-8.5.40-1.79.amzn1.src